Cisco Systems WSC4500X16SFP Manual De Usuario
33-9
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter 33 Configuring Network Security with ACLs
Layer 4 Operators in ACLs
Access lists 101 and 102 use the following Layer 4 operations:
•
Access list 101 Layer 4 operations: 5
–
gt 10 permit and gt 10 deny both use the same operation because they are identical and both
operate on the destination port.
operate on the destination port.
•
Access list 102 Layer 4 operations: 4
•
Total Layer 4 operations: 8 (due to sharing between the two access lists)
–
neg6 permit is shared between the two ACLs because they are identical and both operate on the
same destination port.
same destination port.
•
A description of the Layer 4 operations usage is as follows:
–
Layer 4 operation 1 stores gt 10 permit and gt 10 deny from ACL 101
–
Layer 4 operation 2 stores lt 9 deny from ACL 101
–
Layer 4 operation 3 stores gt 11 deny from ACL 101
–
Layer 4 operation 4 stores neg 6 permit from ACL 101 and 102
–
Layer 4 operation 5 stores neg 6 deny from ACL 101
–
Layer 4 operation 6 stores gt 20 deny from ACL 102
–
Layer 4 operation 7 stores lt 9 deny from ACL 102
–
Layer 4 operation 8 stores range 11 13 deny from ACL 102
How ACL Processing Impacts CPU
ACL processing can impact the CPU in two ways:
•
For some packets, when the hardware runs out of resources, the software must perform the ACL
matches:
matches:
–
TCP flag combinations other than rst ack and syn fin rst are processed in software. rst ack is
equivalent to the keyword established.
equivalent to the keyword established.
–
You can specify up to six Layer 4 operations (lt, gt, neq, and range) in an ACL in order for all
operations to be guaranteed to be processed in hardware. More than six Layer 4 operations will
trigger an attempt to translate the excess operations into multiple ACEs in hardware. If this
attempt fails, packets will be processed in software. The translation process is less likely to
succeed on large ACLs with a great number of Layer 4 operations, and on switches with large
numbers of ACLs configured. The precise limit depends on how many other ACLs are
configured and which specific Layer 4 operations are used by the ACLs being translated. The
eq operator does not require any Layer 4 operations and can be used any number of times.
operations to be guaranteed to be processed in hardware. More than six Layer 4 operations will
trigger an attempt to translate the excess operations into multiple ACEs in hardware. If this
attempt fails, packets will be processed in software. The translation process is less likely to
succeed on large ACLs with a great number of Layer 4 operations, and on switches with large
numbers of ACLs configured. The precise limit depends on how many other ACLs are
configured and which specific Layer 4 operations are used by the ACLs being translated. The
eq operator does not require any Layer 4 operations and can be used any number of times.
–
If the total number of Layer 4 operations in an ACL is less than six, you can distribute the
operations in any way you choose.
operations in any way you choose.
Examples:
The following access lists will be processed completely in hardware:
access-list 104 permit tcp any any established
access-list 105 permit tcp any any rst ack
access-list 107 permit tcp any synfin rst